1. Field
The present invention relates generally to computer security and, more specifically, to using digital signatures of platform components as a measurement of trust in a computing environment.
2. Description
A Trusted Platform Module (TPM) is a component of a trusted computing platform as defined by the Trusted Computing Group. The TPM, which is used as a root of trust for a computing platform, has a set of Platform Configuration Registers (PCRs), and at least one public/private key pair. During the boot of a trusted computing environment, a root of trust component will load a software module, compute the hash of the software module, send the hash to a PCR, and then transfer control to that software module. The software module may then repeat this process with a new software module, and may send the hash of the new software module to a new PCR, or it may extend the hash of a PCR that was previously used. This process may be repeated many times. In the end, there are one or more PCRs that have a measurement of all the software that is in control of the trusted computing environment.
Sealed storage is one of the features of a trusted computing platform. The TPM may encrypt a portion of data called a blob, which consists of a set of PCR values and a secret. Later, when the blob is presented to the TPM for decryption, the TPM will decrypt it, and check whether the PCR values specified in the blob are the same as the PCR values that are currently stored in the PCRs in the TPM. Only if this check passes will the TPM release the decrypted secret to the platform. Thus the sealed secret is only available to the computing environment specified by the blob. If some other environment has launched on the computing platform, then the TPM will not release the secret.
One problem with making sealed secrets work in practice is that there are many legitimate reasons for changing some portion of the computing environment on the platform. In this case, the sealed secret would need to be migrated to the new environment. This could be accomplished by first launching the old environment that was the same as the environment specified in the encryption blob. The secret in the blob would be released to this environment. The PCR values that will correspond to the new environment would be calculated. Then the secret and the new PCR values would be given to the TPM with an instruction to create a new blob with the same secret and the new PCR values.
This process works fine if the application that requires the sealed secret is aware of any changes in the environment. However, if the environment has changed without the sealed secret having been migrated, then there is a problem. Because for the application to be able to recover the sealed secret, the application would have to get the old environment launched. This is particularly a problem if the environment includes the basic input/output system (BIOS) and option read only memories (ROMs).